[SVLS-8660] ci: add gitleaks secrets scanning (#1134)

## Summary

- Adds \`gitleaks\` secrets scanning workflow
(\`.github/workflows/secrets-scan.yml\`) triggered on every PR and push
to \`main\`
- Pins \`gitleaks-action\` to commit SHA (v2.3.9) consistent with repo
convention
- Adds \`.gitleaks.toml\` with documented allowlist structure for paths,
regexes, and historical commits — includes maintenance guidance for
future contributors
- Addressed Copilot review feedback: add \`permissions: contents:
read\`, enable \`--redact\` to prevent secrets appearing in CI logs, fix
allowlist key reference in comments

## Why

Secrets accidentally committed to a public repo (API keys, tokens,
credentials) are the highest-severity risk for a public repository.
Neither \`cargo audit\` nor Copilot catch this category. \`gitleaks\`
uses pattern matching to block merges before a credential lands in
\`main\`.

## Test plan

- [ ] Verify \`Secrets Scan\` job passes on this PR (no secrets in
changed files)
- [ ] After merging: add \`Secrets Scan\` as a required status check
under \`Repository Settings → Branches → main → Branch protection
rules\`
- [ ] Optional smoke test: add a fake credential (e.g.,
\`AKIAIOSFODNN7EXAMPLE\`) to a comment on a test branch, confirm the job
blocks it, then remove it

## Related

- JIRA: https://datadoghq.atlassian.net/browse/SVLS-8660
- Part of Phase 1 CI security scanning — see
\`.github/docs/ci-security-scanning-strategy.md\`
- Companion PR: #1133 (Copilot instructions for PII/security review)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: litianningdatadog

.github/workflows/secrets-scan.yml

@@ -0,0 +1,26 @@
+name: Secrets Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Secrets Scan
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
+        with:
+          args: --redact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

.gitleaks.toml

@@ -0,0 +1,42 @@
+title = "datadog-lambda-extension gitleaks config"
+
+# This file configures gitleaks to suppress known false positives.
+# Only add entries here after confirming a finding is NOT a real secret.
+# If a real secret is found: rotate it immediately, then add the commit hash to the `commits` list under [allowlist] below.
+#
+# Maintenance workflow:
+#   1. gitleaks flags something on a PR
+#   2. Review the finding — is it a real secret or a false positive?
+#   3. Real secret    → rotate immediately, fix the code, optionally add the commit hash below
+#   4. False positive → add the appropriate entry below with a comment explaining why
+
+[allowlist]
+description = "Known false positives"
+
+# paths: skip entire directories or files from scanning.
+# Use when a directory contains third-party code or test fixtures with fake data.
+# Examples:
+#   "integration-tests/node_modules"  — npm dependencies, not our code
+#   "bottlecap/tests/fixtures"        — test payloads with placeholder values
+#   "docs/examples"                   — documentation examples with fake keys
+paths = [
+  # npm dependencies bundled under integration-tests — not our code, would be noisy
+  "integration-tests/node_modules",
+]
+
+# regexes: suppress findings whose matched secret value matches one of these patterns.
+# Use for placeholder/example values that appear in source or docs but are not real secrets.
+# Examples:
+#   '''your-api-key'''          — generic placeholder in docs or scripts
+#   '''my_test_key'''           — unit test placeholder (bottlecap/tests/)
+#   '''AKIAIOSFODNN7EXAMPLE'''  — AWS example key from official AWS documentation
+#   '''DD_API_KEY_EXAMPLE'''    — Datadog placeholder used in README examples
+regexes = []
+
+# commits: suppress all findings from a specific historical commit.
+# Use when a commit contained a now-rotated credential that cannot be rewritten
+# (e.g., it is already on the default branch or in a public tag).
+# Always document why the commit is suppressed and confirm the credential was rotated.
+# Examples:
+#   "abc123def456"  — rotated DD_API_KEY accidentally committed on 2024-01-15, key invalidated
+commits = []